Configure VPN server in Linux for Windows / Linux clients

The VPN (Virtual Private Network) server provides the network technology that will allow us to extend the reach capabilities of our local network over the Internet, a great example of this would be the possibility for two branches to communicate using the internet as the sole means.

A VPN solution reports a sea of ​​benefits, such as cost reduction, communication without borders, integrity, confidentiality, and data security.

With VPN technology, we can connect local networks regardless of the geographical area, with the simple fact of being connected to the internet, will save us the great costs of physical links, and it would provide us with an extremely secure connection.

We can mention the different types of Virtual Private Networks (VPN):

Remote Access VPN: This type of VPN is to provide external collaborators the possibility of connecting to the network from remote sites over the Internet, since they are authenticated with a trusted relationship, they mostly have the same access as an internal collaborator.

Point-to-Point VPN: This type of VPN consists in providing a tunnel for the connection of remote points (Branches) to a central headquarters, in order to eliminate the expensive traditional Point-to-Point links (using physical means).

VPN on Local Network: This type of VPN, also called “VPN OVER LAN” consists of a remote Access VPN, but instead of using the Internet as an access link, it would use the same Local network. Normally this is used to provide extra security to certain areas of the network, such as that certain users who have the necessary trusted relationships can access the VPN.

Now that we already have some basic concepts of VPN technology, we can talk about the solution that we are going to implement in this article, which is called OpenVPN. 

OpenVPN is a software-based connectivity solution: Secure Sockets Layer (VPN Virtual Private Network), OpenVPN offers point-to-point connectivity with remotely connected hierarchical user and host validation, it is a very good option in Wi-Fi technologies (EEI 802.11 wireless networks) and supports a broad configuration, including swinging of loads. It is released under the GPL, free software license.

In this guide we are going to configure a basic VPN Server, where a client will connect from the outside to our server, in a few words we will perform a Remote Access VPN, before putting into practice the guide must have Shorewall knowledge as a requirement (Thus How to have it installed and configured – SHOREWALL GUIDE), as it will be used.

The first thing we have to do is install the necessary packages, we can do it with the following command:

Yum install openvpn lzo 

We go to the OpenVPN directory:

Cd / etc / openvpn /

To facilitate the configuration task, we will copy the easy-rsa 2.0 folder into / etc / openvpn /:

Cp -r / usr / share / openvpn / easy-rsa / / etc / openvpn

We entered the folder easy-rsa / 2.0 (The one that is in / etc / openvpn) and we modified the last lines of the file vars according to our cases, in my case stayed thus:

Export KEY_COUNTRY = "RD"
Export KEY_PROVINCE = "ST"
Export KEY_CITY = "Los Angeles"
Export KEY_ORG = "dot-libre.org"
export KEY_EMAIL = " user@mail-address.com " 

After saving the file vars, we will load the modified variables

(Every time we want to generate a new certificate with different data, we must execute the command), with the command (Eye: we must be in the / etc / openvpn directory):

Source /etc/openvpn/easy-rsa/2.0/./vars

Then we clean all the digital signatures present:

Sh /etc/openvpn/easy-rsa/2.0/clean-all

We created the server certificate, leaving everything by default:

Sh /etc/openvpn/easy-rsa/2.0/build-ca

We created the file dh1024.pem, which has the parameters of the Diffie-Hellman DE 1024 Bits protocol:

Sh /etc/openvpn/easy-rsa/2.0/build-dh

We generate the digital signature of the server:

Sh /etc/openvpn/easy-rsa/2.0/build-key-server server

We generate the keys of the customers, in this case we will only generate a key for a client:

Sh /etc/openvpn/easy-rsa/2.0/build-key client1

The keys that we generate will be found in the folder keys that is inside the easy-rsa folder.

The next step would be to create the VPN server configuration file, so we create in the / etc / openvpn file the servervpn-tcp-1194.conf file (It is essential that you finish with .conf) and copy the following parameters:

Port 1194
Proto tcp
Dev tun
# ---- Key section -----
Ca easy-rsa / 2.0 / keys / en.crt
True easy-rsa / 2.0 / keys / server.crt
Key easy-rsa / 2.0 / keys / server.key
Dh easy-rsa / 2.0 / keys / dh1024.pem
# ----------------------------
Server 192.168.50.0 255.255.255.0
Ifconfig-pool-persist pp.txt
Keepalive 10 120
Comp-lzo
Persist-key
Persist-tun
Status openvpn-status-servervpn-udp-1194.log
Verb 3

Client-to-client

Duplicate-cn

Max-clients 20

Here is a description of the configuration


Port: the port where the VPN server will listen to.

Proto: the protocol to be used for the connection.

Dev: type of virtual connection interface to be used.

Ca: location of the Certification Authority file.

True: location of the .crt file generated by us.

Key: location of the .key key file generated by us.

Dh: location of the .pen file generated by us.

Server: virtual network range to be used.

Ifconfig-pool-persist: file where connected machines are registered.

Keepalive 10 120: sends a package every ten seconds and if it is not answered before 120 seconds, the connection will go down.

Comp-lzo: the data that is handled by the VPN tunnel will be compacted.

Persist-key: solves the problem of the keys that persist

Persist-tun: it allows them not to close and the TAP / TUN devices are reopened when running up / down.

Status: file where the status log will be stored

Verb: level of information desired

There is one thing that we have to keep in mind, and it is that in the parameter server we can not specify a network range that the VPN client probably has, since it would cause conflicts … choose only a few usual network ranges, for example

192.168.50.0/24.

Client-to-client: Without this parameter VPN clients will not be able to communicate with the other VPN clients.

Duplicate-cn: With this parameter we are specifying that clients can connect at the same time with the same certificate.

Max-clients: Maximum clients that can be connected at the same time.

We have to make some system configurations … we load the module:

Modprobe tun

We enable Ip Forwarding, for this we open the /etc/sysctl.conf file and verify that the following parameter is like this:

Net.ipv4.ip_forward = 1

And then we execute the following command:

Echo 1> / proc / sys / net / ipv4 / ip_forward

We verify that we have / dev / net / tun, if it does not exist, we create it:

Mknod / dev / net / tun c 10 200

Configuration in Shorewall:

In shorewall we will have to add a few parameters, and we will begin by adding the zone, which as we know is in / etc / shorewall / zones, regardless of the configuration we have we must add the following:

#ZONE DISPLAY 
Vpn ipv4

Then we assign it to the tun0 interface (this was my case, you can verify with the ifconfig command) the zone vpn (File / etc / shorewall / interfaces):

#ZONE INTERFACE BROADCAST OPTIONS

Vpn tun0 detect dhcp

Regardless of the configuration we have, we will create policies for this zone (file / etc / shorewall / policy), for example if we have the net zone (Internet), fw (Firewall / Server), loc (Local Network), a configuration of Example would be:

#SOURCE DEST POLICY

Fw all ACCEPT

Loc all ACCEPT

Net all DROP

Vpn all ACCEPT

We are accepting all connections except those that come from the internet, now regardless of our rules in shorewall, we should open port 1194 (previously chosen port) to the connections that come from within to allow customers to connect, we edit the rules file / Etc / shorewall:

#ACCESS SOURCE THIS PROTO TO THIS PORT
ACCEPT net fw tcp 1194
ACCEPT fw net tcp 1194

And to finish with shorewall we edit the / etc / shorewall tunnels file, in this file we have to define the VPN connections, we have to specify the port we will use and the network address where the server is located, in my case 192.168.1.0/24 .

#TYPE ZONE GATEWAY ZONE
Openvpnserver: 1194 vpn 192.168.1.0/24

Linux Client Configuration:

For the configuration of VPN clients on Linux platforms, we will use the same OpenVPN (It is also possible to use NetworkManager), to start we must have previously generated files in our Linux client machine:

    Ca.crt

    Client1.crt

    Client1.csr

    Client1.key

As we all know, these files were generated in the folder keys in /etc/openvpn/easy-rsa/2.0/keys. When we have the files in our machine, we install openvpn:

Yum install openvpn

Then we create another folder called / keys / etc / openvpn in another folder called keys, and we will copy the files mentioned above, and create a configuration file in / etc / openvpn called client1-udp-1194.ovpn, with the following content:

Client
Dev tun
Proto tcp

Remote "domain or ip of the vpn server" 1194
Float
Resolv-retry infinite
Nobind
Persist-key
Persist-tun
# ------ KEYS SECTION --------
Ca keys / ca.crt
Cert keys / client.crt
Key keys / client.key
Ns-cert-type server
# ---------------------------------
Comp-lzo
Verb 3 

Here is a description of each parameter:


Client: specifies that openvpn will be used as a client.

Dev: type of virtual interface to be used.

Proto: protocol to be used for the connection.

Remote: specifies the domain or ip of the VPN server with its port.

Float: it accepts packages from any address, not just the

Specified in –remote

Resolv-retry: If the resolution fails it does a re-check in the specified seconds.

Nobind: do not add bind to the local address or to the port.

Persist-key: solves the problem of the keys that persist.

Persist-tun: it allows them not to close and the TAP / TUN devices are reopened when running up / down.

Ca: location of the Certification Authority file.

True: location of the .crt file generated by us.

Key: location of the .key key file generated by us

Comp-lzo: Computes transmitted data.

We load the module, we activate ip forwarding and verify that we have / dev / net / tun (we have explained previously how to do it).

And to finish configuring the client, we restart openvpn:

Service openvpn restart

With this we would have connection only with the machines that we have within the VPN, in case of wanting connectivity with the local network, we must add the following to the client configuration file:

Route 192.168.1.0 255.255.255.0

This is in case the local network is that, also if we want to put a server on it

DNS, we do it with the following parameter:

Dhcp-option DNS 192.168.1.100

Where 192.168.1.100 is the IP of the DNS server, at the end of the configuration file it would look like this:

Client
Dev tun
Proto tcp
Remote "domain or ip of the vpn server" 1194
Float
Resolv-retry infinite
Nobind
Persist-key
Persist-tun

Route 192.168.1.0 255.255.255.0

Dhcp-option DNS 192.168.1.100
# ------ KEYS SECTION --------
Ca keys / ca.crt
Cert keys / client.crt
Key keys / client.key
Ns-cert-type server
# ---------------------------------
Comp-lzo
Verb 3 

Then we restart the OpenVPN service and we can have connectivity with the machines of the local network, and to be able to make queries to the DNS server.

Configuration of a Windows client:

To configure a Windows client we have to install a program called OpenVPN-GUI, we can download it from http://openvpn.se, then install it and go to the folder C: / Program Files / openvpn / config.

In this folder we will copy the files:

    Ca

    Client1.crt

    Client1.csr

    Client1.key

And we will create the client1-udp-1194.ovpn file with the following content:

Client
Dev tun
Proto tcp
Remote "domain or ip of the vpn server" 1194
Float
Resolv-retry infinite
Nobind
Persist-key
Persist-tunroute 192.168.1.0 255.255.255.0dhcp-option DNS 192.168.1100
# ------ KEYS SECTION --------
Ca ca.crt
Certain client.crt
Key client.key
Ns-cert-type server
# ---------------------------------
Comp-lzo
Verb 3 

Already the meaning of each parameter was explained earlier when configuring a Linux client, then we save and we can execute the OpenVPN client, when executing it will be put in a tray bar, we right click it, and then connect.

When connected, it will turn green and a notification will appear with the virtual IP, keep in mind that the security levels of Windows 7 are greater than those of XP, and this means that we can not achieve the VPN connection if we do not execute OpenVPN as an administrator, giving it Right click and “Run as administrator” or direct us to the properties, click on Compatibility, and activate the “Run as administrator” checkbox.

If we do not do this, they are connected well but we will not be able to communicate with the remote devices because it connects but does not add the communication paths (The command route can only be run as an administrator), this only happens with Windows 7.

Written by
Am horla

Have your say!

0 0

11 Comments

  1. usefull article

    • Oh.. Glad to hear that..
      Thanks for your feedback..

  2. NICELY WRITTEN ARTICLE..

    • Janvi,
      Thanks for your kind word.. Always check back for more

  3. thanks for this information.thankyou

    • Hey Deepak, glad you find it helpful..

  4. thanks for give this information

    • Appreciate your contribution..
      Keep checking back for more..

  5. thanks for the information..

  6. Thanks for sharing this wonderful information with us.

    • Glad you find it helpful.

Comments are now closed for this post.

Lost Password

Please enter your username or email address. You will receive a link to create a new password via email.

Configure VPN server in Linux for Windows / Linux clients

by Horla
Turn up.. Let's be friends on social networks also